strongswan.git
7 years agoInstall libtls development headers
Martin Willi [Wed, 11 Jul 2012 08:51:01 +0000 (10:51 +0200)]
Install libtls development headers

7 years agoInstall libfast development headers
Martin Willi [Wed, 11 Jul 2012 08:41:47 +0000 (10:41 +0200)]
Install libfast development headers

7 years agoDefine CONFIG_H_INCLUDED in Android build
Martin Willi [Wed, 11 Jul 2012 08:00:27 +0000 (10:00 +0200)]
Define CONFIG_H_INCLUDED in Android build

7 years agoCheck if config.h passed correctly via gcc -include
Martin Willi [Wed, 4 Jul 2012 12:53:21 +0000 (14:53 +0200)]
Check if config.h passed correctly via gcc -include

7 years agoInstall libstrongswan development headers
Martin Willi [Tue, 3 Jul 2012 15:27:46 +0000 (17:27 +0200)]
Install libstrongswan development headers

7 years agoUse and install a config.h AC_CONFIG_HEADER that contains all AC_DEFINE results
Martin Willi [Tue, 3 Jul 2012 14:45:12 +0000 (16:45 +0200)]
Use and install a config.h AC_CONFIG_HEADER that contains all AC_DEFINE results

7 years agoAdded a description to all AC_DEFINE macros, as required by autoheader
Martin Willi [Tue, 3 Jul 2012 14:40:26 +0000 (16:40 +0200)]
Added a description to all AC_DEFINE macros, as required by autoheader

7 years agoAdd safe_strerror() to leak detective whitelist
Martin Willi [Wed, 11 Jul 2012 06:45:15 +0000 (08:45 +0200)]
Add safe_strerror() to leak detective whitelist

While the thread specific strerror buffer gets cleaned up for
worker threads during their termination, the main thread itself,
and so its strerror buffer, is still alive during leak reports.

7 years agoSend cert request based on peers configured authentication class
Martin Willi [Tue, 10 Jul 2012 15:15:28 +0000 (17:15 +0200)]
Send cert request based on peers configured authentication class

7 years agoAdd an option to disable libstrongswan certificate caching
Martin Willi [Mon, 9 Jul 2012 17:03:10 +0000 (19:03 +0200)]
Add an option to disable libstrongswan certificate caching

7 years agogetpwnam_r and getgrnam_r are not supported by the Android NDK
Tobias Brunner [Mon, 9 Jul 2012 15:49:18 +0000 (17:49 +0200)]
getpwnam_r and getgrnam_r are not supported by the Android NDK

7 years agoAndroid.mk of libstrongswan updated
Tobias Brunner [Mon, 9 Jul 2012 14:50:17 +0000 (16:50 +0200)]
Android.mk of libstrongswan updated

7 years agoDon't send CERTREQs when initiating aggressive mode PSK
Martin Willi [Mon, 9 Jul 2012 10:05:23 +0000 (12:05 +0200)]
Don't send CERTREQs when initiating aggressive mode PSK

7 years agoFixed help text for --disable-xauth-generic plugin
Tobias Brunner [Mon, 2 Jul 2012 10:49:29 +0000 (12:49 +0200)]
Fixed help text for --disable-xauth-generic plugin

7 years agoRefactored heavily #ifdefd capability code to its own libstrongswan class
Martin Willi [Tue, 3 Jul 2012 11:07:24 +0000 (13:07 +0200)]
Refactored heavily #ifdefd capability code to its own libstrongswan class

7 years agoUse spin locks to update IKE_SAs in controller_t
Tobias Brunner [Wed, 4 Jul 2012 07:11:13 +0000 (09:11 +0200)]
Use spin locks to update IKE_SAs in controller_t

This ensures the listeners don't miss any events after the SAs have been
checked out in the asynchronously executed jobs.  This is a matter of
memory visibility and not primary a matter of exclusive access.

7 years agoAdded wrapper for POSIX spin locks
Tobias Brunner [Wed, 4 Jul 2012 07:07:20 +0000 (09:07 +0200)]
Added wrapper for POSIX spin locks

7 years agoFixed job handling in controller_t
Tobias Brunner [Tue, 3 Jul 2012 09:30:00 +0000 (11:30 +0200)]
Fixed job handling in controller_t

Also IKE_SAs are now checked out in the jobs and not before.

7 years agoAdd charon-nm to .gitignore
Martin Willi [Tue, 3 Jul 2012 15:41:14 +0000 (17:41 +0200)]
Add charon-nm to .gitignore

7 years agoDefault to register_printf_specifier() if no printf hooking #defined
Martin Willi [Mon, 2 Jul 2012 16:00:33 +0000 (18:00 +0200)]
Default to register_printf_specifier() if no printf hooking #defined

This allows us to build (non-./configured) external tools against
libstrongswan without explicitly specifiying the most commonly used
printf hooking function.

7 years agoopenssl: Ensure the thread ID is never zero
Tobias Brunner [Sat, 30 Jun 2012 08:05:41 +0000 (10:05 +0200)]
openssl: Ensure the thread ID is never zero

This might otherwise cause problems because OpenSSL tries to lock
mutexes recursively if it assumes the lock is held by a different
thread e.g. during FIPS initialization.

7 years agoAccept non-"/0" subnet sizes for traffic selectors starting at 0.0.0.0
Martin Willi [Mon, 2 Jul 2012 15:25:26 +0000 (17:25 +0200)]
Accept non-"/0" subnet sizes for traffic selectors starting at 0.0.0.0

7 years agoUpdate our network-manager-strongswan/debian to what is actually used downstream
Martin Willi [Mon, 2 Jul 2012 08:18:59 +0000 (10:18 +0200)]
Update our network-manager-strongswan/debian to what is actually used downstream

7 years agoremove virtual IP for moon's inner interface 5.0.0
Andreas Steffen [Fri, 29 Jun 2012 21:20:32 +0000 (23:20 +0200)]
remove virtual IP for moon's inner interface

7 years agoAdded GPL header to AndroidConfigLocal.h
Tobias Brunner [Fri, 29 Jun 2012 14:08:17 +0000 (16:08 +0200)]
Added GPL header to AndroidConfigLocal.h

7 years agoAdded GPL header to scripts
Tobias Brunner [Fri, 29 Jun 2012 14:07:10 +0000 (16:07 +0200)]
Added GPL header to scripts

7 years agoAdded LICENSE file to the distribution
Tobias Brunner [Fri, 29 Jun 2012 13:23:46 +0000 (15:23 +0200)]
Added LICENSE file to the distribution

7 years agoAdded OpenSSL/GPL exception to LICENSE file
Tobias Brunner [Fri, 29 Jun 2012 13:20:23 +0000 (15:20 +0200)]
Added OpenSSL/GPL exception to LICENSE file

Also updated other parts of the license.

7 years agoRemoved superfluous remove_hasher() call in md5 plugin
Tobias Brunner [Fri, 29 Jun 2012 14:22:41 +0000 (16:22 +0200)]
Removed superfluous remove_hasher() call in md5 plugin

7 years agoPass "lo" as faked tundev to NM, as it now needs a valid interface since 0.9
Martin Willi [Fri, 29 Jun 2012 13:21:57 +0000 (15:21 +0200)]
Pass "lo" as faked tundev to NM, as it now needs a valid interface since 0.9

7 years agoAs a responder, don't start a TRANSACTION request if we expect one from the initiator
Martin Willi [Fri, 29 Jun 2012 11:40:05 +0000 (13:40 +0200)]
As a responder, don't start a TRANSACTION request if we expect one from the initiator

7 years agoan IKE daemon needs these plugins but a PDP doesn't
Andreas Steffen [Fri, 29 Jun 2012 04:24:02 +0000 (06:24 +0200)]
an IKE daemon needs these plugins but a PDP doesn't

7 years agoadded Ubuntu 12.04 LTS i686 measurements
Andreas Steffen [Thu, 28 Jun 2012 20:20:44 +0000 (22:20 +0200)]
added Ubuntu 12.04 LTS i686 measurements

7 years agoIMCs and IMVs might depend on X.509 certificates or trusted public keys
Andreas Steffen [Thu, 28 Jun 2012 15:55:02 +0000 (17:55 +0200)]
IMCs and IMVs might depend on X.509 certificates or trusted public keys

7 years agoadded ikev1/virtual-ip scenario
Andreas Steffen [Thu, 28 Jun 2012 12:52:07 +0000 (14:52 +0200)]
added ikev1/virtual-ip scenario

7 years agocorrected description of ikev1/ip-pool-db scenario
Andreas Steffen [Thu, 28 Jun 2012 12:44:10 +0000 (14:44 +0200)]
corrected description of ikev1/ip-pool-db scenario

7 years agocorrected description of ikev1/ip-pool scenario
Andreas Steffen [Thu, 28 Jun 2012 12:42:34 +0000 (14:42 +0200)]
corrected description of ikev1/ip-pool scenario

7 years agoadded ikev1/ip-pool scenario
Andreas Steffen [Thu, 28 Jun 2012 12:37:04 +0000 (14:37 +0200)]
added ikev1/ip-pool scenario

7 years agomerged xauth-id-rsa and xauth-rsa-config scenarios
Andreas Steffen [Thu, 28 Jun 2012 12:23:47 +0000 (14:23 +0200)]
merged xauth-id-rsa and xauth-rsa-config scenarios

7 years agoDefined a macro to replace strerror(3) with calls to thread-safe wrapper
Tobias Brunner [Thu, 28 Jun 2012 10:13:05 +0000 (12:13 +0200)]
Defined a macro to replace strerror(3) with calls to thread-safe wrapper

7 years agoThread-safe wrapper around strerror(3)/strerror_r(3) added
Tobias Brunner [Wed, 27 Jun 2012 16:42:25 +0000 (18:42 +0200)]
Thread-safe wrapper around strerror(3)/strerror_r(3) added

7 years agoShow some uname() info in "ipsec statusall"
Martin Willi [Thu, 28 Jun 2012 09:56:40 +0000 (11:56 +0200)]
Show some uname() info in "ipsec statusall"

7 years agoShow some uname() info during charon startup
Martin Willi [Thu, 28 Jun 2012 09:56:15 +0000 (11:56 +0200)]
Show some uname() info during charon startup

7 years agocharon automatically removes virtual interfaces
Andreas Steffen [Thu, 28 Jun 2012 07:30:24 +0000 (09:30 +0200)]
charon automatically removes virtual interfaces

7 years agolibcharon also requires kernel interfaces and a socket implementation
Tobias Brunner [Wed, 27 Jun 2012 10:14:16 +0000 (12:14 +0200)]
libcharon also requires kernel interfaces and a socket implementation

7 years agoDefer quick mode initiation if we expect a mode config request
Martin Willi [Tue, 26 Jun 2012 08:36:49 +0000 (10:36 +0200)]
Defer quick mode initiation if we expect a mode config request

7 years agoQueue a mode config task as responder if we need a virtual IP
Martin Willi [Tue, 26 Jun 2012 08:35:24 +0000 (10:35 +0200)]
Queue a mode config task as responder if we need a virtual IP

7 years agoAdd basic support for XAuth responder authentication
Martin Willi [Thu, 14 Jun 2012 14:13:10 +0000 (16:13 +0200)]
Add basic support for XAuth responder authentication

7 years agoMap XAuth responder authentication methods between IKEv1 and IKEv2
Martin Willi [Thu, 14 Jun 2012 14:08:28 +0000 (16:08 +0200)]
Map XAuth responder authentication methods between IKEv1 and IKEv2

7 years agoShow remote EAP/XAuth identity in "statusall" on a separate line
Martin Willi [Wed, 27 Jun 2012 09:40:53 +0000 (11:40 +0200)]
Show remote EAP/XAuth identity in "statusall" on a separate line

7 years agogcrypt: Register SHA1 first as HASH_PREFERRED depends on it
Tobias Brunner [Wed, 27 Jun 2012 09:30:55 +0000 (11:30 +0200)]
gcrypt: Register SHA1 first as HASH_PREFERRED depends on it

7 years agoUse static plugin features in libcharon to define essential dependencies
Tobias Brunner [Wed, 27 Jun 2012 09:27:36 +0000 (11:27 +0200)]
Use static plugin features in libcharon to define essential dependencies

7 years agoUse static plugin features in charon-nm
Tobias Brunner [Mon, 25 Jun 2012 16:58:53 +0000 (18:58 +0200)]
Use static plugin features in charon-nm

7 years agoIgnore a received %any virtual IP for installation
Martin Willi [Tue, 26 Jun 2012 16:00:40 +0000 (18:00 +0200)]
Ignore a received %any virtual IP for installation

7 years agoMask the configured mark value to ensure it is in range
Tobias Brunner [Tue, 26 Jun 2012 10:50:58 +0000 (12:50 +0200)]
Mask the configured mark value to ensure it is in range

7 years agoSome updates in ipsec.conf(5) for 5.0.0
Tobias Brunner [Tue, 26 Jun 2012 10:39:53 +0000 (12:39 +0200)]
Some updates in ipsec.conf(5) for 5.0.0

7 years agoAdded MAC wrappers to Android.mk
Tobias Brunner [Tue, 26 Jun 2012 05:58:04 +0000 (07:58 +0200)]
Added MAC wrappers to Android.mk

7 years agoAlso build charon's IKEv1 implementation on Android
Tobias Brunner [Fri, 22 Jun 2012 11:33:38 +0000 (13:33 +0200)]
Also build charon's IKEv1 implementation on Android

7 years agoBuild nonce plugin on Android
Tobias Brunner [Fri, 22 Jun 2012 11:32:07 +0000 (13:32 +0200)]
Build nonce plugin on Android

7 years agoMissing source file added to libcharon's Android.mk
Tobias Brunner [Fri, 22 Jun 2012 11:31:14 +0000 (13:31 +0200)]
Missing source file added to libcharon's Android.mk

7 years agoscepclient: Added support to build it on Android
Tobias Brunner [Thu, 14 Jun 2012 16:35:58 +0000 (18:35 +0200)]
scepclient: Added support to build it on Android

7 years agoAdded support for the curl plugin on Android
Tobias Brunner [Thu, 14 Jun 2012 16:20:35 +0000 (18:20 +0200)]
Added support for the curl plugin on Android

7 years agoAvoid SIGSEGV during shutdown if charon is not started as root
Tobias Brunner [Mon, 25 Jun 2012 17:00:00 +0000 (19:00 +0200)]
Avoid SIGSEGV during shutdown if charon is not started as root

7 years agoNEWS about thread pool updates added
Tobias Brunner [Mon, 25 Jun 2012 16:01:23 +0000 (18:01 +0200)]
NEWS about thread pool updates added

7 years agoMake rescheduling a job more predictable
Tobias Brunner [Thu, 21 Jun 2012 08:10:25 +0000 (10:10 +0200)]
Make rescheduling a job more predictable

This avoids race conditions between calls to cancel() and jobs that like
to be rescheduled.  If jobs were able to reschedule themselves it would
theoretically be possible that two worker threads have the same job
assigned (the one currently executing the job and the one executing the
same but rescheduled job if it already is time to execute it), this means
that cancel() could be called twice for that job.

Creating a new job based on the current one and reschedule that is also
OK, but rescheduling itself is more efficient for jobs that need to be
executed often.

7 years agoCentralized thread cancellation in processor_t
Tobias Brunner [Tue, 19 Jun 2012 11:29:09 +0000 (13:29 +0200)]
Centralized thread cancellation in processor_t

This ensures that no threads are active when plugins and the rest of the
daemon are unloaded.

callback_job_t was simplified a lot in the process as its main
functionality is now contained in processor_t.  The parent-child
relationships were abandoned as these were only needed to simplify job
cancellation.

7 years agoGive processor_t more control over the lifecycle of a job
Tobias Brunner [Tue, 19 Jun 2012 08:45:17 +0000 (10:45 +0200)]
Give processor_t more control over the lifecycle of a job

Jobs are now destroyed by the processor, but they are allowed to
reschedule themselves.  That is, parts of the reschedule functionality
already provided by callback_job_t is moved to the processor.  Not yet
fully supported is JOB_REQUEUE_DIRECT and canceling jobs.

Note: job_t.destroy() is now called not only for queued jobs but also
after execution or cancellation of jobs.  job_t.status can be used to
decide what to do in said method.

7 years agoAdded a method to plugin_loader_t to add 'static' plugin features
Tobias Brunner [Wed, 20 Jun 2012 09:47:58 +0000 (11:47 +0200)]
Added a method to plugin_loader_t to add 'static' plugin features

This allows daemons and other components to register plugin features
like those provided by plugins (following the same lifecycle).

The added features are internally handled like they were added by a
plugin.

7 years agoMake sure that all features of critical plugins are loaded
Tobias Brunner [Wed, 20 Jun 2012 09:34:46 +0000 (11:34 +0200)]
Make sure that all features of critical plugins are loaded

7 years agoAdded an option to rename the ipsec script during installation
Tobias Brunner [Tue, 19 Jun 2012 15:12:53 +0000 (17:12 +0200)]
Added an option to rename the ipsec script during installation

Also rename the man page and adjust all references in the script, the
man page and other files.

Closes #194.

7 years agoRemoved -o argument when creating .../ipsec.d with install
Tobias Brunner [Tue, 19 Jun 2012 15:26:54 +0000 (17:26 +0200)]
Removed -o argument when creating .../ipsec.d with install

This should have been removed with 2b52d5cb41.

7 years agoUpdated ipsec script man page after removing pluto
Tobias Brunner [Tue, 19 Jun 2012 14:09:50 +0000 (16:09 +0200)]
Updated ipsec script man page after removing pluto

7 years agoUse mac_t and PRF and signer wrappers in cmac plugin
Tobias Brunner [Mon, 25 Jun 2012 11:00:57 +0000 (13:00 +0200)]
Use mac_t and PRF and signer wrappers in cmac plugin

7 years agoUse mac_t and PRF and signer wrappers in xcbc plugin
Tobias Brunner [Mon, 25 Jun 2012 10:50:55 +0000 (12:50 +0200)]
Use mac_t and PRF and signer wrappers in xcbc plugin

7 years agoMake the hmac_t interface a generic interface for message authentication codes
Tobias Brunner [Mon, 25 Jun 2012 09:37:04 +0000 (11:37 +0200)]
Make the hmac_t interface a generic interface for message authentication codes

7 years agoSimplified creation of PRFs and signers in openssl and hmac plugins
Tobias Brunner [Fri, 22 Jun 2012 09:30:46 +0000 (11:30 +0200)]
Simplified creation of PRFs and signers in openssl and hmac plugins

7 years agoFunction to convert PRFs to hash algorithms added
Tobias Brunner [Fri, 22 Jun 2012 09:28:43 +0000 (11:28 +0200)]
Function to convert PRFs to hash algorithms added

7 years agohasher_algorithm_from_integrity() optionally returns truncation length
Tobias Brunner [Fri, 22 Jun 2012 09:28:10 +0000 (11:28 +0200)]
hasher_algorithm_from_integrity() optionally returns truncation length

7 years agoUse simple wrappers for HMAC based PRF and signer in openssl plugin
Tobias Brunner [Fri, 22 Jun 2012 08:52:20 +0000 (10:52 +0200)]
Use simple wrappers for HMAC based PRF and signer in openssl plugin

7 years agoUse simple wrappers for HMAC based PRF and signer in hmac plugin
Tobias Brunner [Fri, 22 Jun 2012 08:38:37 +0000 (10:38 +0200)]
Use simple wrappers for HMAC based PRF and signer in hmac plugin

7 years agoSimple wrappers for HMAC based prf_t and signer_t implementations added
Tobias Brunner [Fri, 22 Jun 2012 07:39:09 +0000 (09:39 +0200)]
Simple wrappers for HMAC based prf_t and signer_t implementations added

7 years agoRefactored OpenSSL based HMAC implementation
Tobias Brunner [Thu, 21 Jun 2012 11:10:26 +0000 (13:10 +0200)]
Refactored OpenSSL based HMAC implementation

7 years agoAdding OpenSSL HMAC signer functions to openssl plugin
Aleksandr Grinberg [Wed, 20 Jun 2012 20:46:21 +0000 (13:46 -0700)]
Adding OpenSSL HMAC signer functions to openssl plugin

7 years agoAdding OpenSSL HMAC pseudo random functions to openssl plugin
Aleksandr Grinberg [Wed, 20 Jun 2012 20:43:47 +0000 (13:43 -0700)]
Adding OpenSSL HMAC pseudo random functions to openssl plugin

7 years agoAdding OpenSSL random number functions to openssl plugin
Aleksandr Grinberg [Wed, 20 Jun 2012 20:39:37 +0000 (13:39 -0700)]
Adding OpenSSL random number functions to openssl plugin

7 years agoFixed IPv6 source address lookup
Tobias Brunner [Mon, 18 Jun 2012 10:01:10 +0000 (12:01 +0200)]
Fixed IPv6 source address lookup

Because Linux kernels prior to 3.0 do not support RTA_PREFSRC for
IPv6 routes we didn't use NLM_F_DUMP to get all routes.
Still routes installed with policies are installed also for IPv6.
So since only one route is returned without DUMP, and we ignore
all routes from our own routing table, no source address was found
during roaming if DST of the installed route included the IKE peer.

With newer kernels we can now use DUMP as we did for IPv4 already,
for older kernels we do so if our own routes are installed in a
separate routing table, otherwise we still use GET.

7 years agoupdated default configuration of UML hosts to 5.0.0
Andreas Steffen [Mon, 25 Jun 2012 11:04:55 +0000 (13:04 +0200)]
updated default configuration of UML hosts to 5.0.0

7 years agoadded charon.cisco_unity to strongswan.conf.5 man page
Andreas Steffen [Mon, 25 Jun 2012 09:47:40 +0000 (11:47 +0200)]
added charon.cisco_unity to strongswan.conf.5 man page

7 years agosupport Cisco Unity VID
Andreas Steffen [Mon, 25 Jun 2012 09:00:12 +0000 (11:00 +0200)]
support Cisco Unity VID

7 years agoEnable xauth-generic by default but don't build it if IKEv1 is disabled
Tobias Brunner [Mon, 25 Jun 2012 09:07:49 +0000 (11:07 +0200)]
Enable xauth-generic by default but don't build it if IKEv1 is disabled

7 years agoRemove CREDITS from distribution
Tobias Brunner [Mon, 25 Jun 2012 09:07:35 +0000 (11:07 +0200)]
Remove CREDITS from distribution

7 years agoThe AUTHORS file is required by automake
Tobias Brunner [Mon, 25 Jun 2012 08:59:27 +0000 (10:59 +0200)]
The AUTHORS file is required by automake

7 years agoLICENSE file updated
Tobias Brunner [Thu, 21 Jun 2012 16:14:43 +0000 (18:14 +0200)]
LICENSE file updated

7 years agoldaphost and ldapbase ca section keywords are deprecated
Tobias Brunner [Thu, 21 Jun 2012 16:04:18 +0000 (18:04 +0200)]
ldaphost and ldapbase ca section keywords are deprecated

7 years agoRemoved pluto-specifics from ipsec script
Tobias Brunner [Thu, 21 Jun 2012 15:58:59 +0000 (17:58 +0200)]
Removed pluto-specifics from ipsec script

7 years agoREADME file cleaned up and updated
Tobias Brunner [Thu, 21 Jun 2012 15:55:08 +0000 (17:55 +0200)]
README file cleaned up and updated

7 years agoEnforce uniqueids=keep based on XAuth identity
Martin Willi [Thu, 14 Jun 2012 13:25:11 +0000 (15:25 +0200)]
Enforce uniqueids=keep based on XAuth identity

7 years agoDon't send XAUTH_OK if a hook prevents SA to establish
Martin Willi [Thu, 14 Jun 2012 13:23:57 +0000 (15:23 +0200)]
Don't send XAUTH_OK if a hook prevents SA to establish

7 years agoEnforce uniqueids=keep only for non-XAuth Main/Agressive Modes
Martin Willi [Thu, 14 Jun 2012 13:08:37 +0000 (15:08 +0200)]
Enforce uniqueids=keep only for non-XAuth Main/Agressive Modes

7 years agoShow EAP/XAuth identity in "ipsec status", if available
Martin Willi [Thu, 14 Jun 2012 13:07:44 +0000 (15:07 +0200)]
Show EAP/XAuth identity in "ipsec status", if available